Authenticity label for items

ABSTRACT

Disclosed are various embodiments of multi-layer identifier labels. In one embodiment, a multi-layer identifier label includes an upper layer bearing a public identifier, a lower layer bearing a private identifier, and an adhesive backing below the lower layer. The upper layer may be removably attached to the lower layer, and the lower layer may be non-visible underneath the upper layer. Peeling away the upper layer to reveal the lower layer may be a tamper-evident action.

BACKGROUND

When purchasing items such as groceries at a grocery store, it may beimpossible for a consumer to verify the authenticity of a product. Forexample, the contents of the packaging may not correspond to what theconsumer was expecting. The consumer will typically have no way ofverifying the ingredients of the product and its source. Further, theconsumer will typically have no knowledge of when the product wasmanufactured, or of its chain of custody to the store shelves. Likewise,it may be difficult if not impossible for the store to determine whichcustomers have purchased specific defective products in order to performa recall.

BRIEF DESCRIPTION OF THE DRAWINGS

Many aspects of the present disclosure can be better understood withreference to the following drawings. The components in the drawings arenot necessarily to scale, with emphasis instead being placed uponclearly illustrating the principles of the disclosure. Moreover, in thedrawings, like reference numerals designate corresponding partsthroughout the several views.

FIG. 1A is a drawing of a multi-layer identifier label according to anembodiment of the present disclosure.

FIG. 1C is a drawing of an underside of the upper layer of a multi-layeridentifier label.

FIG. 1B is a drawing of an upper layer and a lower layer of amulti-layer identifier label according to various embodiments of thepresent disclosure.

FIG. 2 is a drawing of a networked environment according to variousembodiments of the present disclosure.

FIGS. 3A and 3B are flowcharts illustrating one example of functionalityimplemented as portions of an item tracking application executed in acomputing environment in the networked environment of FIG. 2 accordingto various embodiments of the present disclosure.

FIG. 3C is a flowchart illustrating one example of functionalityimplemented as portions of a label verification system executed in acomputing environment in the networked environment of FIG. 2 accordingto various embodiments of the present disclosure.

FIG. 4 is a state diagram corresponding to one example of a lifecycle ofan item in the networked environment of FIG. 2 according to variousembodiments of the present disclosure.

FIG. 5 is a schematic block diagram that provides one exampleillustration of a computing environment employed in the networkedenvironment of FIG. 2 according to various embodiments of the presentdisclosure.

DETAILED DESCRIPTION

The present disclosure relates to tracking and verifying authenticityfor items. There is an increasing demand by consumers for informationabout the products that they purchase. The farm-to-table movement, inparticular, has raised consumer awareness about the ultimate source offood that they consume. Locally grown food products are becoming moredesirable than products sourced from far away, at least for theinformation provided about product origin. Chickens raised by Joe Smithin the next town may be more desirable than chicken of unknown originsourced from a multi-national chicken corporation. Further, consumershave become more fickle about how food is grown and livestock areraised. Free-range livestock that are fed natural foods may be moredesirable than cage-raised livestock that are fed a processed food.Consumers are also more conscious of organic and environmentallysustainable agriculture, while genetic modifications, herbicides,insecticides, and so on, are perceived negatives. Also, there is arising awareness of food allergies and sensitivities (e.g., glutenintolerance, lactose intolerance, nut allergies, etc.), making itimportant for consumers to identify the ingredients used in their foodproducts. Products produced in a non-environmentally sustainable way maybe disfavored. Issues relating to consumer preferences apply not only tofood items, but to apparel and other categories of items as well.

Consumers may have relied upon representations as to item source,ingredients, and so on that were not tied to specific items. Forinstance, a food product may be marketed as organic, but there may be noway for consumers to be assured that the specific products they arepurchasing have not been adulterated or have an acceptable source. Itemsare typically marked with universal product codes (UPC), but theseidentify the item generally, not a specific instance of the item. Evenassuming that a specific instance of an item were marked with a uniquecode, the possibility exists for the code to be moved to different itemsor be replicated by fraudsters.

FIG. 1C is a drawing of an underside 130 of the upper layer 103 of amulti-layer identifier label 100. In this example, the underside 130bears an instruction 133 for an end user to scan the private identifier118.

Various embodiments of the present disclosure facilitate tracking andauthenticity verification for an item through the use of a pair ofpublic and private identifiers. Each specific instance of an item (e.g.,a single box of cereal) may be associated with a unique publicidentifier and a unique private identifier contained on a label. Thelabel may, for example, contain multiple layers. In one embodiment, anupper layer bears the public identifier, and a lower layer bears theprivate identifier. The lower layer may be non-visible unless atamper-evident action is performed, e.g., the top layer is removed.While the item is being manufactured, warehoused, and transported, onlythe upper layer bearing the public identifier may be visible. The publicidentifier may be scanned upon the occurrence of various events, therebycreating a history record uniquely associated to the item.

When an item is shipped to a consumer, the item may be associated withthe user account of the consumer. Upon arrival, the consumer may performthe tamper-evident action with respect to the upper layer of the labelin order to expose the private identifier on the lower layer of thelabel. The consumer may scan the private identifier via a client device,or manually enter the private identifier via a web site. Theauthenticity of the item may be determined, and the authenticityverification and history of the item may be presented to the consumer.This item-level tracking may be used to manage various operationalprocesses for the items as well as to ensure quality and safety. Inparticular, item-specific expirations may be monitored, and recalls ofspecific items may be performed.

With reference to FIG. 1A, shown is an example of a multi-layeridentifier label 100 according to one embodiment. The multi-layeridentifier label 100 here includes an upper layer 103 and a lower layer106. The upper layer 103 may be opaque and constructed of laminatedpaper with foil in one embodiment. The lower layer 106 may beconstructed of a poly material in one embodiment. The lower layer 106may be a sticker affixed to an item, while the upper layer 103 may be asticker affixed to the lower layer 106. The upper layer 103 bears apublic identifier 109. The public identifier 109 may comprise a barcode,a two-dimensional barcode (data matrix), quick response (QR) code, analphanumeric string, or other form of identifier. The upper layer 103may include a hologram 112. The presence of a hologram 112 may make itmore difficult to create a knock-off of the label. The hologram 112 mayalso serve as a tamper-evident seal to indicate whether the upper layer103 has been tampered with and/or peeled off.

A peel indicator 115 may be used to indicate to the end user that theupper layer 103 is designed to be peeled off to reveal the lower layer106. In some embodiments, such as those depicted in FIG. 1B, the upperlayer 103 may include a protrusion 116 that extends beyond the edge ofthe lower layer 106. Also, the lower layer 106 may include a nook 117that recedes from the edge of the upper layer 103. The protrusion 116and/or nook 117 may assist the user in removing the upper layer 103 fromthe lower layer 106.

Returning to FIG. 1A, the lower layer 106 bears a private identifier118. The private identifier 118 may comprise a barcode, atwo-dimensional barcode (data matrix), quick response (QR) code, analphanumeric string, or other form of identifier. In some embodiments,it may be desirable not to use a QR code in an attempt to prevent usersfrom using non-approved scanning tools that automatically redirect to auniform resource locator (URL) embedded in the QR code. Because of thedesign of the multi-layer identifier label 100, the private identifier118 is non-visible until a tamper-evident action is performed, such aspeeling the upper layer 103 off of the lower layer 106. A hologram 121or other security feature may be present upon the lower layer 106. Thelower layer 106 may also contain instructions 124 for the end user. Forexample, instructions 124 may instruct the user to scan privateidentifier 118 with a specific application. In one embodiment,additional instructions 124 may be present upon the underside of theupper layer 103.

Peeling the upper layer 103 from the lower layer 106 may be atamper-evident action. For example, portions of the upper layer 103 mayseparate, thereby leaving a “void” mark. Also, the upper layer 103 maybe removably attached to the lower layer 106 via a clean-releasemechanism. For example, after the upper layer 103 is peeled away, theunderside of the upper layer 103 as well as the top side of the lowerlayer 106 may be non-sticky.

The lower layer 106 may have an adhesive backing that is configured tobe attached to a product, and removing the lower layer 106 from theproduct may also be a tamper-evident action. Using a tamper-evidentmaterial in the construction of the lower layer 106 may prevent themulti-layer identifier label 100 from being removed from a first productand reaffixed to another product. For example, removing the lower layer106 may cause portions of the lower layer 106 to separate, therebyleaving a “void” mark. Thus, the tamper-evident material of the lowerlayer 106 indicates that the multi-layer identifier label 100 has beenremoved from its original surface.

As a tamper-evident feature, in one embodiment, the public identifier109 may be printed upon the lower layer 106 in the area 127. The upperlayer 103 may contain a transparent window above the area 127 in orderfor the public identifier 109 to be visible via the upper layer 103 suchthat the upper layer 103 bears the public identifier 109. In oneembodiment, despite being printed upon the lower layer 106, the publicidentifier 109 may adhere to the upper layer 103 and peel off with theupper layer 103. The area 127 may be specially coated with silicone oranother substance such that the ink adheres to the underside of theupper layer 103 and is removed from the lower layer 106. This maysimplify printing such that both the public identifier 109 and theprivate identifier 118 may be printed upon a single layer of themulti-layer identifier label 100. A generic upper layer 103 may then beaffixed on top of the specific lower layer 106. In such an embodiment,having the public identifier 109 peel off with or be destroyed byremoving the upper layer 103 enables a client device to scan the privateidentifier 118 without any confusion as to which identifier is to bescanned.

The multi-layer identifier label 100 may also be configured such thatthe upper layer 103 does not unintentionally peel away from the lowerlayer 106 due to brushing against equipment or other actions in thesupply chain. For example, a glue release element may be disposedbetween the upper layer 103 and the lower layer 106 at or near the peelindicator 115. Consequently, the upper layer 103 may be easily releasedonly at or near the peel indicator 115. The glue used at other edgeareas may prevent unintentional separation from occurring at the otheredge areas of the upper layer 103.

In the following discussion, a general description of a system that usesthe multi-layer identifier label 100 is provided, followed by adiscussion of the operation of the same.

Moving on to FIG. 2, shown is a networked environment 200 according tovarious embodiments. The networked environment 200 includes a computingenvironment 203, one or more producer client devices 206, and one ormore consumer client devices 209, which are in data communication witheach other via a network 215. The network 215 includes, for example, theInternet, intranets, extranets, wide area networks (WANs), local areanetworks (LANs), wired networks, wireless networks, cable networks,satellite networks, or other suitable networks, etc., or any combinationof two or more such networks.

The computing environment 203 may comprise, for example, a servercomputer or any other system providing computing capability.Alternatively, the computing environment 203 may employ a plurality ofcomputing devices that may be arranged, for example, in one or moreserver banks or computer banks or other arrangements. Such computingdevices may be located in a single installation or may be distributedamong many different geographical locations. For example, the computingenvironment 203 may include a plurality of computing devices thattogether may comprise a hosted or “cloud” computing resource, a gridcomputing resource, and/or any other distributed computing arrangement.In some cases, the computing environment 203 may correspond to anelastic computing resource where the allotted capacity of processing,network, storage, or other computing-related resources may vary overtime.

Various applications and/or other functionality may be executed in thecomputing environment 203 according to various embodiments. Also,various data is stored in a data store 218 that is accessible to thecomputing environment 203. The data store 218 may be representative of aplurality of data stores 218 as can be appreciated. The data stored inthe data store 218, for example, is associated with the operation of thevarious applications and/or functional entities described below.

The components executed on the computing environment 203, for example,include an item tracking application 221, a label printing service 224,a label verification system 225 in communication with sensors 226 a and226 b, and other applications, services, processes, systems, engines, orfunctionality not discussed in detail herein. The item trackingapplication 221 is executed to perform item tracking and authenticityverification functions. The various functions performed by the itemtracking application 221 may include generating public identifiers 109and private identifiers 118, recording events 227 relating to itemhistory, and performing verification of authenticity for a given privateidentifier 118 corresponding to an item. The label printing service 224is executed to coordinate printing of multi-layer identifier labels 100(FIG. 1A) and routing of multi-layer identifier labels 100 to variousmanufacturers and/or distributors of items. The label verificationsystem 225 is configured to verify the correct production of themulti-layer identifier labels 100 via sensors 226 a and 226 b.

The data stored in the data store 218 includes, for example, item data230, user account data 233, label data 236, and potentially other data.The item data 230 includes various data corresponding to items offeredfor sale, lease, rental, or other form of consumption. Such items maycomprise products, goods, or other items to which a multi-layeridentifier label 100 may be affixed. Each specific instance of an itemmay be associated with a public identifier 109 and a private identifier118. The private identifier 118 may be encrypted or otherwise maintainedin a secure way. In one embodiment, the private identifier 118 may beencrypted using a reversible form of encryption. In another embodiment,the private identifier 118 may be encrypted using a non-reversible formof encryption (e.g., a hash). It may be that a reversibly encrypted formof the private identifier 118 may be maintained in order to performrotations of a hashing function used to generate the non-reversiblyencrypted form of the private identifier 118.

The item data 230 may include an item history record 239 that records aplurality of events 227 associated with processing of the item. Theevents 227 may be generated by manufacturers, distributors, shippingcarriers, and/or other agents who have produced or transported thecorresponding item. Each event 227 may be associated with the item byway of scanning or entering the public identifier 109 in connection withgenerating the respective event 227. An event 227 may be used to tiespecific information to an item, such as manufacturing date,manufacturing location, batch number, list of ingredients, expirationdate, harvest date, source country, and so on. The events 227 may alsorelate to the chain of custody for the item, including describingentities who have had possession of the item and the times they gainedor lost custody. This may include manufacturers, distributors, shippers,customers, and so on.

The item data 230 may also record the authentication requests 242associated with the item. An authentication request 242 may correspondto a specific instance in which a private identifier 118 for an item ispresented for authentication of the item. The authentication requests242 may be recorded for the purpose of limiting the number ofauthentication requests 242 for the item to a maximum threshold.Although it may be desirable to allow for multiple authenticationrequests 242 for re-verification and/or verification by subsequentconsumers of the item, limiting the total number of authenticationrequests 242 may ensure that a private identifier 118 is not reused in afraudulent way.

The user account data 233 may include various data associated with useraccounts, such as order data 245, security credentials 248, and/or otherdata. The order data 245 may record information relating to an orderplaced by a specific consumer user, including a list of items purchased,scheduled delivery date, whether the item has been delivered, whetherthe item has been returned, and so on. When an order is fulfilled, theorder data 245 may be associated with the specific item sent or to besent to the consumer. Thus, an individual user account may be associatedwith the public identifier 109, the private identifier 118, and/or otherinformation in the item data 230. The security credentials 248 mayinclude usernames, passwords, and/or other credentials used inauthenticating a user at a consumer client device 209.

The label data 236 includes information about multi-layer identifierlabels 100, including those that have not yet been manufactured andthose that have been manufactured and have not yet been affixed toitems. The label data 236 may indicate the respective public identifier109 and private identifier 118 of the various labels as well as thecurrent status for each. The label data 236 may identify labels thathave been shipped to a manufacturer to be applied to items but are notyet associated with items.

The producer client devices 206 and the consumer client devices 209 arerepresentative of a plurality of client devices that may be coupled tothe network 215. Each of the producer client devices 206 and theconsumer client devices 209 may comprise, for example, a processor-basedsystem such as a computer system. Such a computer system may be embodiedin the form of a desktop computer, a laptop computer, personal digitalassistants, cellular telephones, smartphones, set-top boxes, musicplayers, web pads, tablet computer systems, game consoles, electronicbook readers, or other devices with like capability. Each of theproducer client devices 206 and the consumer client devices 209 mayinclude a display 263. The display 263 may comprise, for example, one ormore devices, such as liquid crystal display (LCD) displays, gasplasma-based flat panel displays, organic light emitting diode (OLED)displays, electrophoretic ink (E ink) displays, LCD projectors, or othertypes of display devices, etc.

Each of the producer client devices 206 and the consumer client devices209 may be configured to execute various applications such as a clientapplication 266 and/or other applications. The client application 266may be executed, for example, to access network content served up by thecomputing environment 203 and/or other servers, thereby rendering a userinterface 269 on the display 263. To this end, the client application266 may comprise, for example, a browser, a dedicated application, etc.,and the user interface 269 may comprise a network page, an applicationscreen, etc. Each of the producer client devices 206 and the consumerclient devices 209 may be configured to execute applications beyond theclient application 266 such as, for example, email applications, socialnetworking applications, word processors, spreadsheets, and/or otherapplications.

Next, a general description of the operation of the various componentsof the networked environment 200 is provided. To begin, the itemtracking application 221 creates item data 230, including a publicidentifier 109 and a private identifier 118. These identifiers are eachunique for a particular instance of an item. The item trackingapplication 221 then initiates the printing of a label corresponding tothe item via the label printing service 224.

One example of such a label is shown in FIG. 1A, but this example is notintended to be limiting. Characteristic of the example label is that thepublic identifier 109 is initially visible, and the private identifier118 is initially non-visible, where the label is designed so thatprivate identifier 118 is to be accessible only to the end consumer.Tamper-evident features of the label are present so that any attempt toaccess the private identifier 118 may be seen based on changes to thelabel.

The printed label is then transferred to a manufacturer or other sourceof an item. The label may be affixed to the item by that entity.Moreover, the manufacturer or other source may upload detailedinformation about the item, to include expiration date, a list ofingredients, a source country, and/or other information. Thisinformation may be recorded in an event 227 in the item history record239 of the item data 230.

As the item is received by a fulfillment center or other materialshandling facility or shipped from such a facility, the item label may bescanned to obtain the public identifier 109 via the producer clientdevice 206. Events 227 may be created, and the item history record 239may be updated based upon the time, status, and/or other informationrelating to the chain of custody for the item. The item may beassociated with a specific end user via an order in the order data 245.

The item is delivered to the end user with the label intact. That is tosay, the public identifier 109 may be visible and the private identifier118 may be non-visible. If the private identifier 118 is visible whenthe item is delivered, the end user may understand that the label hasbeen tampered with. If the label is intact, the end user may perform atamper-evident action in order to expose the private identifier 118. Theend user may then scan the private identifier 118 via the consumerclient device 209.

When the private identifier 118 is scanned, the item trackingapplication 221 may perform various checks to ensure that the item isauthentic. The item tracking application 221 may return an indication ofwhether the item is authentic to the consumer client device 209 forrendering in a user interface 269. Additionally, information from theitem history record 239 may be sent to the consumer client device 209for rendering in a user interface 269.

Referring next to FIG. 3A, shown is a flowchart that provides oneexample of the operation of a portion of the item tracking application221 according to various embodiments. It is understood that theflowchart of FIG. 3A provides merely an example of the many differenttypes of functional arrangements that may be employed to implement theoperation of the portion of the item tracking application 221 asdescribed herein. As an alternative, the flowchart of FIG. 3A may beviewed as depicting an example of elements of a method implemented inthe computing environment 203 (FIG. 2) according to one or moreembodiments.

Beginning with box 303, the item tracking application 221 generates apublic identifier 109 (FIG. 2) and a private identifier 118 (FIG. 2). Inbox 306, the item tracking application 221 stores the public identifier109 and a hashed value of the private identifier 118 in the data store218 (FIG. 2). In addition, a reversibly encrypted version of the privateidentifier 118 may also be stored in some embodiments to facilitaterecovery and/or rotation of the hashing function.

In box 309, the item tracking application 221 initiates printing of amulti-layer identifier label 100 (FIG. 1A) via the label printingservice 224 (FIG. 2). In this regard, the public identifier 109 and theprivate identifier 118 may be transferred to the label printing service224. In some cases, the label printing service 224 may be operated by athird-party vendor, and the public identifier 109 and private identifier118 may be securely transferred to the label printing service 224 viathe network 215 (FIG. 2). In box 310, the item tracking application 221may receive a confirmation from the label printing service 224 thatprinting has completed.

In box 312, the item tracking application 221 may initiate a transfer ofthe label to a manufacturer, a vendor, or another party in order for thelabel to be affixed to an item. In box 315, the item trackingapplication 221 receives an event 227 (FIG. 2) corresponding to thepublic identifier 109. The event 227 may be generated by a clientapplication 266 (FIG. 2) executed in a producer client device 206 (FIG.2), a producer server device, or another device. The label bearing thepublic identifier 109 may be scanned, and additional informationdescribing the event 227 may be entered manually via a user interface269 (FIG. 2) or may be supplied automatically via an applicationprogramming interface (API). In one embodiment, information about anitem (or potentially multiple items) may be uploaded to the itemtracking application 221 via a spreadsheet, comma-delimited file, and/orother file.

For example, the event 227 may indicate that the label bearing thepublic identifier 109 was affixed to a specific item having certaincharacteristics, that the specific item was received by a distributor,stored in a fulfillment center, picked up by a shipping carrier, shippedto a particular consumer, and so on. The item tracking application 221may provide an indication of validity to the producer client device 206from which the public identifier 109 was received. In some scenarios, atrusted entity will refuse to complete an action (e.g., shipping anitem, storing an item in a warehouse, fulfilling an order for an item,etc.) unless the item has a valid label affixed to it. In box 318, theitem tracking application 221 records the event 227 in the item historyrecord 239 (FIG. 2) in the item data 230 (FIG. 2) for the item.

In box 321, the item tracking application 221 determines whether anotherevent 227 is received. If another event 227 is received, the itemtracking application 221 returns to box 315. In this way, the itemtracking application 221 may build up an item history record 239 for theitem that includes multiple events 227 corresponding to a complete chainof custody for the item. If another event 227 is not received, theportion of the item tracking application 221 ends.

Turning now to FIG. 3B, shown is a flowchart that provides one exampleof the operation of another portion of the item tracking application 221according to various embodiments. It is understood that the flowchart ofFIG. 3B provides merely an example of the many different types offunctional arrangements that may be employed to implement the operationof the portion of the item tracking application 221 as described herein.As an alternative, the flowchart of FIG. 3B may be viewed as depictingan example of elements of a method implemented in the computingenvironment 203 (FIG. 2) according to one or more embodiments.

Beginning with box 330, the item tracking application 221 receives oneor more security credentials 248 (FIG. 2) from a consumer client device209 (FIG. 2). For example, the security credentials 248 may include ausername and a password. In box 333, the item tracking application 221authenticates the consumer client device 209 based at least in part onthe provided security credentials 248. In box 336, the item trackingapplication 221 receives a private identifier 118 (FIG. 2) from theconsumer client device 209 in an authentication request 242 (FIG. 2).For example, a user may use the client application 266 (FIG. 2) to scana QR code visible on the lower layer 106 (FIG. 1A) of a multi-layeridentifier label 100 (FIG. 1A).

In box 339, the item tracking application 221 assesses the authenticityof the item. As an initial matter, the item tracking application 221 maydetermine that the private identifier 118 is valid and is in factassigned to an item. The item tracking application 221 may compute ahashed value of the received private identifier 118 and compare thatvalue with a stored hashed value of a private identifier 118. The itemtracking application 221 may reconcile the item history record 239 forthe assigned item to ensure that there are no irregularities that may beassociated with fraud. Based at least in part on the events 227 (FIG. 2)in the item history record 239, the item tracking application 221 isable to determine whether the item is to be considered authentic. Insome cases, the authentication request 242 may meet or exceed a maximumthreshold for a number of authentication requests 242 for an item, whichmay call the authenticity of the item into question. In one scenario, anauthentication request 242 from a consumer who did not purchase the itemmay call the authenticity of the item into question.

In box 342, the item tracking application 221 determines whether theitem is considered authentic. If so, the item tracking application 221moves to box 345 and sends an indication of authenticity to the consumerclient device 209. The item tracking application 221 then proceeds tobox 348. If the item is not determined to be authentic, the itemtracking application 221 instead moves from box 342 to box 351. In box351, the item tracking application 221 sends an indication ofnon-authenticity to the consumer client device 209. For example, theindication may take the form of a warning message. In some cases, asystem administrator or other user may be informed of the irregularityor potential fraud relating to the item and/or the label. The itemtracking application 221 then continues to box 354.

In box 348, the item tracking application 221 sends at least a portionof the item history information contained in the item history record 239to the consumer client device 209. This information may relate to thesource, ingredients, chain of custody, and/or other information aboutthe item that may be gleaned from the events 227. Ultimately, the clientapplication 266 may render when and where the item was manufactured,when the item was shipped and where it was shipped from, when and wherethe item was delivered, and/or other information. In one embodiment,this information may be rendered in a user interface 269 (FIG. 2)including an interactive map.

In box 354, the item tracking application 221 may record informationabout the authentication request 242. This information may be used infuture authentication requests 242 to ensure that a maximum number ofauthentication requests 242 is not exceeded for the item. Thereafter,the portion of the item tracking application 221 ends.

Moving now to FIG. 3C, shown is a flowchart that provides one example ofthe operation of a portion of the label verification system 225according to various embodiments. It is understood that the flowchart ofFIG. 3C provides merely an example of the many different types offunctional arrangements that may be employed to implement the operationof the portion of the label verification system 225 as described herein.As an alternative, the flowchart of FIG. 3C may be viewed as depictingan example of elements of a method implemented in the computingenvironment 203 (FIG. 2) according to one or more embodiments.

Beginning with box 360, the label verification system 225 uses thesensor 226 a (FIG. 2) to capture an image of the lower layer 106(FIG. 1) of a multi-layer identifier label 100 (FIG. 1) before the upperlayer 103 (FIG. 1) is affixed on top of the lower layer 106 tocompletely obscure the lower layer 106. In box 363, the labelverification system 225 uses the sensor 226 b (FIG. 2) to capture animage of the upper layer 103. The image of the upper layer 103 may becaptured immediately after the upper layer 103 is affixed on top of thelower layer 106. Likewise, the image of the lower layer 106 may becaptured immediately before the upper layer 103 is affixed on top of thelower layer 106.

In box 366, the label verification system 225 recognizes a publicidentifier 109 (FIG. 1) in the image of the upper layer 103. In doingso, the label verification system 225 may determine whether the publicidentifier 109 is a valid identifier. In box 369, the label verificationsystem 225 recognizes a private identifier 118 (FIG. 1) in the image ofthe lower layer 106. In doing so, the label verification system 225 maydetermine whether the private identifier 118 is a valid identifier. Forexample, the label verification system 225 may query the item data 230(FIG. 2) or the item tracking application 221 (FIG. 2) to determineidentifier validity. Alternatively, the label verification system 225may confirm whether the identifiers conform to a predefined format.

In box 372, in order to verify a correct production of the multi-layeridentifier label 100, the label verification system 225 determineswhether the private identifier 118 is associated with the publicidentifier 109. For example, the label verification system 225 may querythe item data 230 or the item tracking application 221 to determinewhether the identifiers are associated with each other. As the privateidentifier 118 may be stored in the data store 218 as a hashed value,the label verification system 225 or other logic may compute a hashedvalue of the recognized private identifier 118 in order to compare thehashed value with the stored hashed value.

If the private identifier 118 is not associated with the publicidentifier 109, or if there is an error in recognizing either of thepublic identifier 109 or the private identifier 118, the labelverification system 225 moves to box 375 and reports an error in theproduction of the multi-layer identifier label 100. Thereafter, theportion of the label verification system 225 ends.

If, instead, the label verification system 225 verifies the privateidentifier 118 is associated with the public identifier 109, the labelverification system 225 may report a correct production of themulti-layer identifier label 100 in box 378. Thereafter, the portion ofthe label verification system 225 ends.

Although the flowchart of FIG. 3C relates to the use of multiple sensors226 to capture multiple images, in some embodiments, the publicidentifier 109 and the private identifier 118 may both be printed uponthe bottom layer 106, and a single sensor 226 may be used to capture asingle image. Also, it is noted that the sensors 226 may be used tocapture or scan identifiers that are not visibly readable in someembodiments, such as radio-frequency identifiers, magnetic identifiers,etc. Such identifiers may be embedded into product packaging rather thanin or on a label.

Continuing now to FIG. 4, shown is an example of a state diagram 400according to one embodiment. The state diagram 400 corresponds to alifecycle of an item and its associated public identifier 109 (FIG. 2)and private identifier 118 (FIG. 2). Each of the following statetransitions may be memorialized by events 227 (FIG. 2) in the itemhistory record 239 (FIG. 2). Beginning with box 403, when the publicidentifier 109 and the private identifier 118 are first generated, theitem is in the “born” or “created” state. Next, in box 406, when thecorresponding label is printed, the item is in the “printed” state. Thismay depend on an acknowledgement from the printer via the label printingservice 224 (FIG. 2).

In box 409, when the label has been affixed to the item, the item is inthe “labeled” state. In box 412, when the item has been received by afulfillment center, the item is in the “received” state. In box 415,when the item has been shipped, the item is then in the “shipped” state.In box 418, when the authenticity of the item has been verified by aconsumer, the item is in the “verified” state.

In some cases, the item may not be in the “received” state, as the itemmay be shipped directly by the manufacturer or vendor. Thus, box 409 mayinstead transition directly to box 415. If various scenarios occur, theitem may transition from any other state to box 421 in the “revoked”state. For example, if it is determined that private identifiers 118have been compromised prior to label printing, the item may transitionfrom “born” to “revoked.” Likewise, if labels from the printer are lost,the item may transition from “printed” to “revoked.” Similarly, if itemthat are “labeled,” “received,” or “shipped” are not accounted for, theitem may transition to “revoked.” Also, if an item has been verifiedbeyond a maximum threshold of times or beyond a maximum threshold ofconsumer users, the item may transition from “verified” to “revoked.”

With reference to FIG. 5, shown is a schematic block diagram of thecomputing environment 203 according to an embodiment of the presentdisclosure. The computing environment 203 includes one or more computingdevices 500. Each computing device 500 includes at least one processorcircuit, for example, having a processor 503 and a memory 506, both ofwhich are coupled to a local interface 509. To this end, each computingdevice 500 may comprise, for example, at least one server computer orlike device. The local interface 509 may comprise, for example, a databus with an accompanying address/control bus or other bus structure ascan be appreciated.

Stored in the memory 506 are both data and several components that areexecutable by the processor 503. In particular, stored in the memory 506and executable by the processor 503 are the item tracking application221, the label printing service 224, the label verification system 225,and potentially other applications. Also stored in the memory 506 may bea data store 218 and other data. In addition, an operating system may bestored in the memory 506 and executable by the processor 503.

It is understood that there may be other applications that are stored inthe memory 506 and are executable by the processor 503 as can beappreciated. Where any component discussed herein is implemented in theform of software, any one of a number of programming languages may beemployed such as, for example, C, C++, C#, Objective C, Java®,JavaScript®, Perl, PHP, Visual Basic®, Python®, Ruby, Flash®, or otherprogramming languages.

A number of software components are stored in the memory 506 and areexecutable by the processor 503. In this respect, the term “executable”means a program file that is in a form that can ultimately be run by theprocessor 503. Examples of executable programs may be, for example, acompiled program that can be translated into machine code in a formatthat can be loaded into a random access portion of the memory 506 andrun by the processor 503, source code that may be expressed in properformat such as object code that is capable of being loaded into a randomaccess portion of the memory 506 and executed by the processor 503, orsource code that may be interpreted by another executable program togenerate instructions in a random access portion of the memory 506 to beexecuted by the processor 503, etc. An executable program may be storedin any portion or component of the memory 506 including, for example,random access memory (RAM), read-only memory (ROM), hard drive,solid-state drive, USB flash drive, memory card, optical disc such ascompact disc (CD) or digital versatile disc (DVD), floppy disk, magnetictape, or other memory components.

The memory 506 is defined herein as including both volatile andnonvolatile memory and data storage components. Volatile components arethose that do not retain data values upon loss of power. Nonvolatilecomponents are those that retain data upon a loss of power. Thus, thememory 506 may comprise, for example, random access memory (RAM),read-only memory (ROM), hard disk drives, solid-state drives, USB flashdrives, memory cards accessed via a memory card reader, floppy disksaccessed via an associated floppy disk drive, optical discs accessed viaan optical disc drive, magnetic tapes accessed via an appropriate tapedrive, and/or other memory components, or a combination of any two ormore of these memory components. In addition, the RAM may comprise, forexample, static random access memory (SRAM), dynamic random accessmemory (DRAM), or magnetic random access memory (MRAM) and other suchdevices. The ROM may comprise, for example, a programmable read-onlymemory (PROM), an erasable programmable read-only memory (EPROM), anelectrically erasable programmable read-only memory (EEPROM), or otherlike memory device.

Also, the processor 503 may represent multiple processors 503 and/ormultiple processor cores and the memory 506 may represent multiplememories 506 that operate in parallel processing circuits, respectively.In such a case, the local interface 509 may be an appropriate networkthat facilitates communication between any two of the multipleprocessors 503, between any processor 503 and any of the memories 506,or between any two of the memories 506, etc. The local interface 509 maycomprise additional systems designed to coordinate this communication,including, for example, performing load balancing. The processor 503 maybe of electrical or of some other available construction.

Although the item tracking application 221, the label printing service224, the label verification system 225, and other various systemsdescribed herein may be embodied in software or code executed by generalpurpose hardware as discussed above, as an alternative the same may alsobe embodied in dedicated hardware or a combination of software/generalpurpose hardware and dedicated hardware. If embodied in dedicatedhardware, each can be implemented as a circuit or state machine thatemploys any one of or a combination of a number of technologies. Thesetechnologies may include, but are not limited to, discrete logiccircuits having logic gates for implementing various logic functionsupon an application of one or more data signals, application specificintegrated circuits (ASICs) having appropriate logic gates,field-programmable gate arrays (FPGAs), or other components, etc. Suchtechnologies are generally well known by those skilled in the art and,consequently, are not described in detail herein.

The flowcharts of FIGS. 3A-3C show the functionality and operation of animplementation of portions of the item tracking application 221 and thelabel verification system 225. If embodied in software, each block mayrepresent a module, segment, or portion of code that comprises programinstructions to implement the specified logical function(s). The programinstructions may be embodied in the form of source code that compriseshuman-readable statements written in a programming language or machinecode that comprises numerical instructions recognizable by a suitableexecution system such as a processor 503 in a computer system or othersystem. The machine code may be converted from the source code, etc. Ifembodied in hardware, each block may represent a circuit or a number ofinterconnected circuits to implement the specified logical function(s).

Although the flowcharts of FIGS. 3A-3C show a specific order ofexecution, it is understood that the order of execution may differ fromthat which is depicted. For example, the order of execution of two ormore blocks may be scrambled relative to the order shown. Also, two ormore blocks shown in succession in FIGS. 3A-3C may be executedconcurrently or with partial concurrence. Further, in some embodiments,one or more of the blocks shown in FIGS. 3A-3C may be skipped oromitted. In addition, any number of counters, state variables, warningsemaphores, or messages might be added to the logical flow describedherein, for purposes of enhanced utility, accounting, performancemeasurement, or providing troubleshooting aids, etc. It is understoodthat all such variations are within the scope of the present disclosure.

Also, any logic or application described herein, including the itemtracking application 221, the label printing service 224, and the labelverification system 225, that comprises software or code can be embodiedin any non-transitory computer-readable medium for use by or inconnection with an instruction execution system such as, for example, aprocessor 503 in a computer system or other system. In this sense, thelogic may comprise, for example, statements including instructions anddeclarations that can be fetched from the computer-readable medium andexecuted by the instruction execution system. In the context of thepresent disclosure, a “computer-readable medium” can be any medium thatcan contain, store, or maintain the logic or application describedherein for use by or in connection with the instruction executionsystem.

The computer-readable medium can comprise any one of many physical mediasuch as, for example, magnetic, optical, or semiconductor media. Morespecific examples of a suitable computer-readable medium would include,but are not limited to, magnetic tapes, magnetic floppy diskettes,magnetic hard drives, memory cards, solid-state drives, USB flashdrives, or optical discs. Also, the computer-readable medium may be arandom access memory (RAM) including, for example, static random accessmemory (SRAM) and dynamic random access memory (DRAM), or magneticrandom access memory (MRAM). In addition, the computer-readable mediummay be a read-only memory (ROM), a programmable read-only memory (PROM),an erasable programmable read-only memory (EPROM), an electricallyerasable programmable read-only memory (EEPROM), or other type of memorydevice.

Further, any logic or application described herein, including the itemtracking application 221, the label printing service 224, and the labelverification system 225, may be implemented and structured in a varietyof ways. For example, one or more applications described may beimplemented as modules or components of a single application. Further,one or more applications described herein may be executed in shared orseparate computing devices or a combination thereof. For example, aplurality of the applications described herein may execute in the samecomputing device 500, or in multiple computing devices 500 in the samecomputing environment 203. Additionally, it is understood that termssuch as “application,” “service,” “system,” “engine,” “module,” and soon may be interchangeable and are not intended to be limiting.

Disjunctive language such as the phrase “at least one of X, Y, or Z,”unless specifically stated otherwise, is otherwise understood with thecontext as used in general to present that an item, term, etc., may beeither X, Y, or Z, or any combination thereof (e.g., X, Y, and/or Z).Thus, such disjunctive language is not generally intended to, and shouldnot, imply that certain embodiments require at least one of X, at leastone of Y, or at least one of Z to each be present.

The above comprises at least the following exemplary clauses:

1. A non-transitory computer-readable medium embodying a programexecutable in at least one computing device, comprising: code thatgenerates a public identifier and a private identifier; code that causesprinting of an identifier label to be initiated, the public identifierbeing initially visible on the identifier label, the private identifierbeing non-visible unless a tamper-evident action is performed; code thatrecords individual events of a plurality of events in response toindividual scans of a plurality of scans of the public identifier; codethat receives a scan of the private identifier from a client device; andcode that sends authenticity information regarding the identifier labelto the client device, the authenticity information being based at leastin part on the plurality of events.

2. The non-transitory computer-readable medium of clause 1, wherein oneof the plurality of scans indicates at least that the identifier labelhas been affixed to a product.

3. The non-transitory computer-readable medium of clause 1, wherein oneof the plurality of scans indicates at least that a product has beenshipped.

4. The non-transitory computer-readable medium of clause 1, wherein thecode that sends the authenticity information is configured to send theauthenticity information to the client device in response to determiningthat the private identifier has not been scanned beyond a maximumthreshold number of times.

5. The non-transitory computer-readable medium of clause 1, furthercomprising code that authenticates the client device as being associatedwith a user account based at least in part on a security credentialobtained from the client device.

6. A system, comprising: at least one computing device; and an itemtracking application executable in the at least one computing device,the item tracking application comprising: logic that receives anauthentication request for an item, the authentication requestspecifying a private identifier for the item; logic that, in response toreceiving the authentication request, determines whether the item isauthentic based at least in part on at least one item history event inan item history record, the item history record corresponding to theprivate identifier, the at least one item history event being recordedin association with a public identifier for the item; and logic thatsends information identifying whether the item is authentic to a clientdevice.

7. The system of clause 6, wherein the item tracking application furthercomprises: logic that determines a number of times that the privateidentifier has been received; and wherein the logic that sends theinformation identifying whether the item is authentic is configured tosend the information in response to determining that the number of timesthat the private identifier has been received does not meet a maximumthreshold.

8. The system of clause 6, wherein the item tracking application furthercomprises: logic that receives at least one security credential from theclient device; and logic that authenticates the client device as beingassociated with a user account based at least in part on the at leastone security credential prior to receiving the private identifier forthe item.

9. The system of clause 6, wherein the item tracking application furthercomprises: logic that generates a hashed value of the private identifierreceived from the authentication request; and logic that compares thehashed value with a stored hashed value of the private identifier.

10. The system of clause 6, wherein the item tracking applicationfurther comprises: logic that receives an item history event inassociation with the public identifier; and logic that updates the itemhistory record in response to receiving the item history event inassociation with the public identifier.

11. The system of clause 6, wherein the logic that receives theauthentication request further comprises logic that receives datacorresponding to an optical scan by the client device of a privateidentifier label affixed to the item.

12. The system of clause 6, wherein the item tracking applicationfurther comprises logic that sends information corresponding to the atleast one item history event to the client device.

13. The system of clause 6, wherein the at least one item history eventcomprises a plurality of item history events that include at least oneof: an item label printed event, an item label revoked event, an itemlabeled event, an item shipped event, or an item verified event.

14. A method, comprising: generating, by at least one computing device,a public identifier and a private identifier; receiving, by the at leastone computing device, the public identifier in association withindividual ones of a plurality of events, the individual ones of theplurality of events representing a respective scan of the publicidentifier affixed to an item, the private identifier being also affixedto the item but not capable of being scanned; and recording, by the atleast one computing device, the individual ones of the plurality ofevents in association with both the public identifier and the privateidentifier.

15. The method of clause 14, wherein both the public identifier and theprivate identifier are unique to the item.

16. The method of clause 14, further comprising causing, by the at leastone computing device, printing of an identifier label to be initiated,the public identifier being initially visible on the identifier label,the private identifier being initially non-visible on the identifierlabel.

17. The method of clause 14, further comprising storing, by the at leastone computing device, an encrypted version of the private identifier.

18. The method of clause 14, further comprising: determining, by the atleast one computing device, that the item has been ordered by acustomer; and associating, by the at least one computing device, thepublic identifier and the private identifier with the customer.

19. The method of clause 14, further comprising: receiving, by the atleast one computing device, the private identifier from a client device;and determining, by the at least one computing device, whether the itemis authentic based at least in part on the recorded plurality of events;and sending, by the at least one computing device, user interface dataindicating whether the item is authentic to the client device.

20. The method of clause 19, further comprising determining, by the atleast one computing device, that the private identifier has not beenreceived beyond a maximum threshold number of times.

21. A multi-layer identifier label, comprising: an opaque upper layerbearing a public identifier; a lower layer bearing a private identifier,the upper layer being removably attached to the lower layer, the lowerlayer being non-visible underneath the opaque upper layer; an adhesivebacking below the lower layer that attaches the multi-layer identifierlabel to a product; wherein the public identifier comprises a firsttwo-dimensional barcode, the private identifier comprises a secondtwo-dimensional barcode, and the first two-dimensional barcode issmaller in size than the second two-dimensional barcode; and whereinpeeling away the opaque upper layer to reveal the lower layer is atamper-evident action.

22. The multi-layer identifier label of clause 21, wherein at least oneof the opaque upper layer or the lower layer includes a hologram.

23. The multi-layer identifier label of clause 21, wherein the opaqueupper layer bears a visual indication of a location where peeling of theopaque upper layer from the lower layer should be started by a user,wherein a glue release element is disposed at the location between theopaque upper layer and the lower layer.

24. The multi-layer identifier label of clause 21, wherein the opaqueupper layer includes a protrusion that extends beyond an edge of thelower layer.

25. The multi-layer identifier label of clause 21, wherein the lowerlayer includes a nook that recedes from an edge of the opaque upperlayer.

26. The multi-layer identifier label of clause 21, wherein an undersideof the opaque upper layer bears an instruction for an end user to scanthe private identifier.

27. A system, comprising: at least one computing device; and a labelverification system executed in the at least one computing device, thelabel verification system comprising: logic that captures a first imageof an upper layer of a multi-layer identifier label; logic that capturesa second image of a lower layer of the multi-layer identifier labelbefore the upper layer is affixed on top of the lower layer tocompletely obscure the lower layer; and logic that verifies a correctproduction of the multi-layer identifier label based at least in part onthe first image and the second image.

28. The system of clause 27, wherein the second image is capturedimmediately before the upper layer is affixed on top of the lower layerto completely obscure the lower layer.

29. The system of clause 27, wherein the first image is capturedimmediately after the upper layer is affixed on top of the lower layerto completely obscure the lower layer.

30. The system of clause 27, wherein the label verification systemfurther comprises: logic that determines a first identifier apparent inthe first image; logic that determines a second identifier apparent inthe second image; and wherein the correct production is verified basedat least in part on the first identifier and the second identifier.

31. The system of clause 30, wherein the first identifier is a firsttwo-dimensional barcode, and the second identifier is a secondtwo-dimensional barcode.

32. The system of clause 30, wherein the label verification systemfurther comprises logic that determines whether the first identifier andthe second identifiers are valid identifiers.

33. The system of clause 30, wherein the label verification systemfurther comprises logic that determines whether a stored associationexists between the first identifier and the second identifier in a datastore, wherein the correct production is verified when the storedassociation exists.

34. The system of clause 33, wherein logic that determines whether thestored association exists further comprises: logic that generates ahashed value of the second identifier; and logic that compares thehashed value with a stored hashed value associated with the firstidentifier.

35. A multi-layer identifier label, comprising: an upper layer bearing apublic identifier; a lower layer bearing a private identifier, the upperlayer being removably attached to the lower layer, the lower layer beingnon-visible underneath the upper layer; an adhesive backing below thelower layer; and wherein peeling away the upper layer to reveal thelower layer is a tamper-evident action.

36. The multi-layer identifier label of clause 35, wherein the publicidentifier comprises a first two-dimensional barcode, the privateidentifier comprises a second two-dimensional barcode, and the firsttwo-dimensional barcode is smaller in size than the secondtwo-dimensional barcode.

37. The multi-layer identifier label of clause 36, wherein the secondtwo-dimensional barcode is not a quick response (QR) code.

38. The multi-layer identifier label of clause 35, wherein the upperlayer is configured to release cleanly from the lower layer such that anunderside of the upper layer is non-sticky when peeled away from thelower layer.

39. The multi-layer identifier label of clause 35, wherein the lowerlayer is constructed of a tamper-evident material configured to indicatewhether the multi-layer identifier label has been affixed to a surfaceand then removed from the surface.

40. The multi-layer identifier label of clause 35, wherein an undersideof the upper layer bears an instruction for an end user to scan theprivate identifier.

It should be emphasized that the above-described embodiments of thepresent disclosure are merely possible examples of implementations setforth for a clear understanding of the principles of the disclosure.Many variations and modifications may be made to the above-describedembodiment(s) without departing substantially from the spirit andprinciples of the disclosure. All such modifications and variations areintended to be included herein within the scope of this disclosure andprotected by the following claims.

Therefore, the following is claimed:
 1. A multi-layer identifier label,comprising: an opaque upper layer bearing a public identifier; a lowerlayer bearing a private identifier, the upper layer being removablyattached to the lower layer, the lower layer being non-visibleunderneath the opaque upper layer; an adhesive backing below the lowerlayer that attaches the multi-layer identifier label to a product;wherein the public identifier comprises a first two-dimensional barcode,the private identifier comprises a second two-dimensional barcode, andthe first two-dimensional barcode is smaller in size than the secondtwo-dimensional barcode; wherein the opaque upper layer bears a visualindication of a location where peeling of the opaque upper layer fromthe lower layer should be started by a user; wherein a glue releaseelement is disposed at the location between the opaque upper layer andthe lower layer; and wherein peeling away the opaque upper layer toreveal the lower layer is a tamper-evident action.
 2. The multi-layeridentifier label of claim 1, wherein at least one of the opaque upperlayer or the lower layer includes a hologram.
 3. The multi-layeridentifier label of claim 1, wherein the opaque upper layer includes aprotrusion that extends beyond an edge of the lower layer.
 4. Themulti-layer identifier label of claim 1, wherein the lower layerincludes a nook that recedes from an edge of the opaque upper layer. 5.The multi-layer identifier label of claim 1, wherein an underside of theopaque upper layer bears an instruction for an end user to scan theprivate identifier.
 6. The multi-layer identifier label of claim 1,wherein the opaque upper layer is configured to release cleanly from thelower layer such that an underside of the opaque upper layer isnon-sticky when peeled away from the lower layer.
 7. A multi-layeridentifier label, comprising: an upper layer bearing a publicidentifier; a lower layer bearing a private identifier, the upper layerbeing removably attached to the lower layer, the lower layer beingnon-visible underneath the upper layer; an adhesive backing below thelower layer; wherein the upper layer is configured to release cleanlyfrom the lower layer such that an underside of the upper layer isnon-sticky when peeled away from the lower layer; and wherein peelingaway the upper layer to reveal the lower layer is a tamper-evidentaction.
 8. The multi-layer identifier label of claim 7, wherein thepublic identifier comprises a first two-dimensional barcode, the privateidentifier comprises a second two-dimensional barcode, and the firsttwo-dimensional barcode is smaller in size than the secondtwo-dimensional barcode.
 9. The multi-layer identifier label of claim 8,wherein the second two-dimensional barcode is not a quick response (QR)code.
 10. The multi-layer identifier label of claim 7, wherein the lowerlayer is constructed of a tamper-evident material configured to indicatewhether the multi-layer identifier label has been affixed to a surfaceand then removed from the surface.
 11. The multi-layer identifier labelof claim 7, wherein an underside of the upper layer bears an instructionfor an end user to scan the private identifier.
 12. The multi-layeridentifier label of claim 7, wherein the lower layer includes a nookthat recedes from an edge of the upper layer.
 13. The multi-layeridentifier label of claim 7, wherein the upper layer bears a visualindication of a location where peeling of the upper layer from the lowerlayer should be started by a user.
 14. The multi-layer identifier labelof claim 13, wherein a glue release element is disposed at the locationbetween the upper layer and the lower layer.
 15. A multi-layeridentifier label, comprising: an opaque upper layer bearing a publicidentifier; a lower layer bearing a private identifier, the upper layerbeing removably attached to the lower layer, the lower layer beingnon-visible underneath the opaque upper layer; an adhesive backing belowthe lower layer that attaches the multi-layer identifier label to aproduct; wherein the public identifier comprises a first two-dimensionalbarcode, the private identifier comprises a second two-dimensionalbarcode, and the first two-dimensional barcode is smaller in size thanthe second two-dimensional barcode; wherein the lower layer includes anook that recedes from an edge of the opaque upper layer; and whereinpeeling away the opaque upper layer to reveal the lower layer is atamper-evident action.
 16. The multi-layer identifier label of claim 15,wherein at least one of the opaque upper layer or the lower layerincludes a hologram.
 17. The multi-layer identifier label of claim 15,wherein the opaque upper layer includes a protrusion that extends beyondan edge of the lower layer.
 18. The multi-layer identifier label ofclaim 15, wherein an underside of the opaque upper layer bears aninstruction for an end user to scan the private identifier.
 19. Themulti-layer identifier label of claim 15, wherein the opaque upper layerbears a visual indication of a location where peeling of the opaqueupper layer from the lower layer should be started by a user.
 20. Themulti-layer identifier label of claim 19, wherein a glue release elementis disposed at the location between the opaque upper layer and the lowerlayer.